CVE-2026-39370
🟡 Monitoruj
Błąd SSRF w WWBN AVideo umożliwia atakującym wyciek danych przez złośliwe URL-e.
CVSS
7.1
EPSS
0.0%
Exploit
none
Vendor
wwbn
Opis źródłowy (NVD)
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
ssrf
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.1 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-04-07 20:16:31 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-22 18:50:11 UTC |
Referencje
- https://github.com/WWBN/AVideo/security/advisories/GHSA-cmcr-q4jf-p6q9 (security-advisories@github.com) [Third Party Advisory]